The Power of Open Source for Business

Recently there's been several interesting blogs on the issue of open source licensing and attribution. Let me try to summarize the discussion and see if I can highlight some areas of concern.

Historically there have been many different licenses used for open source products. While there are not as many open source licenses as there are closed source, it has at times been confusing for users of open source to understand the subtle distinctions in the terms of different licenses. In fact that's one of the reasons MySQL adopted the GPL license many years back. Originally, MySQL had its own open source license, but so many people were familiar with the GPL from its use on Linux, that we figured if it was good enough for Linus it was good enough for us. We also liked the reciprocity of the GPL license since it enabled us to have a "quid pro quo" approach that enables people to use MySQL under the GPL if they are GPL and we were able to provide it under a commercial license for those who did not want to use GPL. And in fact, we extended this freedom to other FOSS software users to ensure there is compatibility between MySQL's GPL license and many other licenses out there including the BSD License, Apache License, PHP license etc. (Technically this is called the MySQL FLOSS Exception which sounds like its about dental hygiene, but its really about extending the freedom of MySQL to other open source licenses.)

When we looked at how to decide which licenses we would be compatible with, we didn't want to review every license under the sun, so we explicitly referenced licenses declared open source by the OSI (Open Source Initiative). Despite it's fancy sounding name, the OSI definition of open source is really an opinion. It's not an official standards body, it's not sanctioned by legislation, they do not have a trademark on the words "open source', and there are no requirements to adhere to it's definition. So anyone can call software open source without the OSI's approval. It's like if you decided to formally announce your definition for good taste and encouraged others to follow it.

That being said, the OSI's definition is a pretty good one and it recognizes that while there is no "one size fits all" license, it's good to have some common elements that make up open source. For example, the OSI definition includes such clauses as Free Redistribution, Availability of Source Code, Ability to Create Derived Works, No Discrimination, and so on.

They also list on their web site the latest OSI approved licenses which they consider to have met the OSI definition of open source. There are several dozen licenses listed there ranging from Apache 2.0 to the Zope Public license with all of the popular licenses as well as some rather obscure ones from private companies like Apple,Mitre, Nokia and Sybase among others.

The OSI is actually a very modest non-profit organization and while it does not have formalized membership programs, MySQL has been an occasional contributor. They do offer OSI-certification of licenses, though I must admit, I've never actually seen anyone advertize an open source license as being OSI approved.

These days, the trend has been away from so-called "vanity licenses" whereby companies introduce their own distinct open source license. Sun for example, released Java under the GPL 2 rather than under their earlier open source licenses. And it turns out that by some accounts as much as 70% of all open source projects on sourceforge use the GPL or related LGPL license. Still, there are plenty of new projects out there under the BSD License or under variations of the Mozilla MPL.

Still, in the last two years, many new companies have sprung up that have open source products and services they sell and while some have selected the GPL, many others have used variations on the Mozilla MPL. This includes venture-backed open source application companies such as SugarCRM, Zimbra, Alfresco and others. None of these companies claim to have OSI-approved licenses and I don't think it's hurt them at all. Generally, they follow a common understanding of open source, but where they deviate from the OSI definition is around attribution. For most users of their software, they can be regarded as open source and having a fairly liberal license; you can modify the software, use it, copy it and so on. Of course "fairly liberal" is my view of their licenses, and others may have their own views. (And you can also find a response from SugarCRM CEO John Roberts on why attribution matters.)

Attribution is not uncommon in the open source world and there's been a history of many projects and licenses enabling people to use or modify the software, but requiring that they acknowledge the original authorship. Works published under a Creative Commons license also frequently include an attribution clause. I consider it very generous that Cory Doctorow publishes his books under Creative Commons and I respect that the Creative Commons license does not enable me to publish his book, change all the character names to friends of mine and claim that I am the author. Most writers or programmers understand that part of the reason you publish something under an open source license is that you want people to recognize and acknowledge your work.

In the case of applications companies, there is a good question as to what is legitimate attribution and how much is too much. Some folks seem to feel that the OSI should have some lock on approving all open source licenses and that companies should have to acknowledge that their license is not approved by the OSI. This is crazy talk! I have tremendous respect for the OSI and the work that Bruce Perens undertook to create the OSI defnition, but, hey, it's a free country. I don't ask anyone to approve that my blog is following the standards of blogging (whatever those might be), why should someone have to follow the OSI's definition of open source if they don't want to?

Open Source is about freedom. And that also includes the freedom to have many different licenses that serve different purposes. Personally, I think that the attribution clauses from SugarCRM are quite reasonable. They protect SugarCRM from being poached by someone who might otherwise decide to just fork their software and present it as their own. Which if you get down to it, is pretty much what Oracle is doing with Red Hat. So it makes sense for open source companies to protect their hard work by requiring attribution. You can argue that the attribution clauses might be too strict or too precise, but I think that's again a very subjective evaluation. It's entirely up to these companies to decide what they think is right for their market.

The funny thing is, I don't see any users complaining about this. While it makes for interestingreading among open source cognoscenti, I think that for most users, it's a moot point. Users are very well served by the companies mentioned regardless of the attribution clause. And you could argue, they are better served with the clause since their vendor's business is more defensible.

There's also poll below on Dana Blankenhorn's ZDNet blog asking whether SugarCRM is open source based. While I think it's perhaps comical to ask this question in a poll, feel free to give your views. (And you can guess how I voted.)